From eaaa8e89cf69d1e0d581443121f315854d52c75f Mon Sep 17 00:00:00 2001
From: arithmetic1728 <58957152+arithmetic1728@users.noreply.github.com>
Date: Tue, 14 Feb 2023 10:28:18 -0800
Subject: [PATCH] fix: create and reuse self signed jwt creds for better
 performance (#1154)

* fix: create and reuse self signed jwt creds for better performance

* only create jwt cred when needed
---
 .../auth/oauth2/ServiceAccountCredentials.java     | 14 ++++++++++++--
 .../auth/oauth2/ServiceAccountCredentialsTest.java |  2 ++
 2 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/oauth2_http/java/com/google/auth/oauth2/ServiceAccountCredentials.java b/oauth2_http/java/com/google/auth/oauth2/ServiceAccountCredentials.java
index 479041ead..c6c95a71c 100644
--- a/oauth2_http/java/com/google/auth/oauth2/ServiceAccountCredentials.java
+++ b/oauth2_http/java/com/google/auth/oauth2/ServiceAccountCredentials.java
@@ -110,6 +110,8 @@ public class ServiceAccountCredentials extends GoogleCredentials
 
   private transient HttpTransportFactory transportFactory;
 
+  private transient JwtCredentials selfSignedJwtCredentialsWithScope = null;
+
   /**
    * Internal constructor
    *
@@ -704,6 +706,11 @@ public boolean getUseJwtAccessWithScope() {
     return useJwtAccessWithScope;
   }
 
+  @VisibleForTesting
+  JwtCredentials getSelfSignedJwtCredentialsWithScope() {
+    return selfSignedJwtCredentialsWithScope;
+  }
+
   @Override
   public String getAccount() {
     return getClientEmail();
@@ -935,8 +942,11 @@ public Map<String, List<String>> getRequestMetadata(URI uri) throws IOException
     // Otherwise, use self signed JWT with uri as the audience.
     JwtCredentials jwtCredentials;
     if (!createScopedRequired() && useJwtAccessWithScope) {
-      // Create JWT credentials with the scopes.
-      jwtCredentials = createSelfSignedJwtCredentials(null);
+      // Create selfSignedJwtCredentialsWithScope when needed and reuse it for better performance.
+      if (selfSignedJwtCredentialsWithScope == null) {
+        selfSignedJwtCredentialsWithScope = createSelfSignedJwtCredentials(null);
+      }
+      jwtCredentials = selfSignedJwtCredentialsWithScope;
     } else {
       // Create JWT credentials with the uri as audience.
       jwtCredentials = createSelfSignedJwtCredentials(uri);
diff --git a/oauth2_http/javatests/com/google/auth/oauth2/ServiceAccountCredentialsTest.java b/oauth2_http/javatests/com/google/auth/oauth2/ServiceAccountCredentialsTest.java
index 14eb16b92..f3b3f0983 100644
--- a/oauth2_http/javatests/com/google/auth/oauth2/ServiceAccountCredentialsTest.java
+++ b/oauth2_http/javatests/com/google/auth/oauth2/ServiceAccountCredentialsTest.java
@@ -1465,6 +1465,7 @@ public void getRequestMetadata_selfSignedJWT_withScopes() throws IOException {
             .build();
 
     Map<String, List<String>> metadata = credentials.getRequestMetadata(CALL_URI);
+    assertNotNull(((ServiceAccountCredentials) credentials).getSelfSignedJwtCredentialsWithScope());
     verifyJwtAccess(metadata, "dummy.scope");
   }
 
@@ -1518,6 +1519,7 @@ public void getRequestMetadata_selfSignedJWT_withAudience() throws IOException {
             .build();
 
     Map<String, List<String>> metadata = credentials.getRequestMetadata(CALL_URI);
+    assertNull(((ServiceAccountCredentials) credentials).getSelfSignedJwtCredentialsWithScope());
     verifyJwtAccess(metadata, null);
   }